3 files changed, 16 insertions, 10 deletions

diff --git a/auth/auth-service/pom.xml b/auth/auth-service/pom.xml
index 63585f94..9f9ca869 100644
--- a/auth/auth-service/pom.xml
+++ b/auth/auth-service/pom.xml
@@ -17,7 +17,7 @@
     <parent>
         <groupId>org.onap.aaf.authz</groupId>
         <artifactId>authparent</artifactId>
-        <version>2.1.16-SNAPSHOT</version>
+        <version>2.1.17-SNAPSHOT</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
index 2431e0eb..67410305 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/AuthzCassServiceImpl.java
@@ -2346,10 +2346,11 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                 }
                 switch(action) {
                     case DELETE:
+                    	String why;
                         if(ques.isOwner(trans, user,ns) ||
-                                ques.isAdmin(trans, user,ns) ||
-                                ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
-                                     return Result.ok();
+                        		ques.isAdmin(trans, user,ns) ||
+                        		ques.isGranted(trans, user, ROOT_NS,"password",company,DELETE)) {
+                        	return Result.ok();
                         }
                         break;
                     case RESET:
@@ -2509,13 +2510,16 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
                         try {
                             if (firstID) {
                                 // OK, it's a first ID, and not by NS Owner
-                                if(!ques.isOwner(trans,trans.user(),cdd.ns)) {
+                            	String user = trans.user();
+                                if(!ques.isOwner(trans,user,cdd.ns)) {
                                     // Admins are not allowed to set first Cred, but Org has already
                                     // said entity MAY create, typically by Permission
                                     // We can't know which reason they are allowed here, so we
                                     // have to assume that any with Special Permission would not be
                                     // an Admin.
-                                    if(ques.isAdmin(trans, trans.user(), cdd.ns)) {
+                                	String domain = org.supportedDomain(user);
+                                    if((domain!=null && !ques.isGranted(trans, user, ROOT_NS, "mechid", domain, Question.CREATE)) &&
+                                    		ques.isAdmin(trans, user, cdd.ns)) {
                                         return Result.err(Result.ERR_Denied,
                                             "Only Owners may create first passwords in their Namespace. Admins may modify after one exists" );
                                     } else {
@@ -3900,6 +3904,10 @@ public class AuthzCassServiceImpl    <NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         }
 
         final DelegateDAO.Data dd = rd.value;
+        
+        if(dd.user.contentEquals(dd.delegate) && !trans.requested(force)) {
+        	return Result.err(Status.ERR_InvalidDelegate,dd.user + " cannot delegate to self");
+        }
 
         Result<List<DelegateDAO.Data>> ddr = ques.delegateDAO().read(trans, dd);
         if (access==Access.create && ddr.isOKhasData()) {
diff --git a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
index 60b76ea2..4a299e7e 100644
--- a/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
+++ b/auth/auth-service/src/main/java/org/onap/aaf/auth/service/facade/AuthzFacadeImpl.java
@@ -135,7 +135,7 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         (nssDF                 = env.newDataFactory(service.mapper().getClass(API.NSS))).in(dataType).out(dataType);
         (permRequestDF         = env.newDataFactory(service.mapper().getClass(API.PERM_REQ))).in(dataType).out(dataType);
         (permsDF             = env.newDataFactory(service.mapper().getClass(API.PERMS))).in(dataType).out(dataType);
-//        (permKeyDF            = env.newDataFactory(service.mapper().getClass(API.PERM_KEY))).in(dataType).out(dataType);
+
         (roleDF             = env.newDataFactory(service.mapper().getClass(API.ROLES))).in(dataType).out(dataType);
         (roleRequestDF         = env.newDataFactory(service.mapper().getClass(API.ROLE_REQ))).in(dataType).out(dataType);
         (usersDF             = env.newDataFactory(service.mapper().getClass(API.USERS))).in(dataType).out(dataType);
@@ -174,7 +174,7 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
         if (result.variables==null || result.variables.length<1) {
             detail = new String[1];
         } else {
-            List<String> dlist = new ArrayList<String>();
+            List<String> dlist = new ArrayList<>();
             dlist.add(null);
             String os;
             for(Object s : result.variables) {
@@ -185,8 +185,6 @@ public abstract class AuthzFacadeImpl<NSS,PERMS,PERMKEY,ROLES,USERS,USERROLES,DE
             detail = new String[dlist.size()];
             dlist.toArray(detail);
         }
-        //int httpstatus;
-
         switch(result.status) {
             case ERR_ActionNotCompleted:
                 msgId = "SVC1202";